---
- name: Include vars for {{ ansible_os_family }}
  ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"

- name: install packages
  ansible.builtin.package:
    name: "{{ certbot_packages }}"
    state: present
    update_cache: true

- name: Install httpd
  ansible.builtin.include_role:
    name: httpd
  vars:
    httpd_cerbot: false
#    httpd_hostname:
  notify: Restart httpd
  when:
    - certbot_authtype == "http"
    - certbot_authservice == "httpd"

# - name: install web service packages
#   ansible.builtin.package:
#     name: "{{ certbot_webpackages }}"
#     state: present
#     update_cache: true
#   notify: Restart httpd
#   when:
#     - certbot_authtype == "http"
#     - certbot_authservice == "httpd"

- name: Make the necessary directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: '{{ certbot_webuser }}'
    group: '{{ certbot_webuser }}'
    mode: 0755
  with_items:
    - /var/www/.well-known
    - /var/www/.well-known/acme-challenge
  when:
    - certbot_authtype == "http"

- name: Installation du fichier de verroux
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /var/www/.well-known/acme-challenge/{{ item }}
    owner: root
    group: root
    mode: 0644
  with_items:
    - test.html
  when:
    - certbot_authtype == "http"

- name: Installation de la configuration de la conf httpd
  ansible.builtin.copy:
    src: httpd_letsencrypt.conf
    dest: /etc/httpd/conf.d/letsencrypt.conf
    owner: root
    group: root
    mode: 0644
  register: need_reload_httpd
  when:
    - certbot_authtype == "http"
    - certbot_authservice == "httpd"

- name: Check if httpd is reloaded
  ansible.builtin.service:
    name: httpd
    state: reloaded
  when:
    - certbot_authtype == "http"
    - certbot_authservice == "httpd"
    - need_reload_httpd is changed

- name: Installation de la configuration de la conf nginx
  ansible.builtin.copy:
    src: nginx_letsencrypt.conf
    dest: /etc/nginx/site-enabled/ssl_force.conf
    owner: root
    group: root
    mode: 0644
  register: need_reload_nginx
  when:
    - certbot_authtype == "http"
    - certbot_authservice == "nginx"

- name: Check if nginx is reloaded
  ansible.builtin.service:
    name: nginx
    state: reloaded
  when:
    - certbot_authtype == "http"
    - certbot_authservice == "nginx"
    - need_reload_nginx|changed

# - name: Open Firewalld
#   ansible.posix.firewalld:
#     service: http
#     permanent: true
#     state: enabled
#     immediate: true
#   when:
#     - certbot_authtype == "http"
#     - ansible_os_family == "RedHat"

- name: Installation des script pour le challenge DNS
  ansible.builtin.copy:
    src: etc/letsencrypt/{{ item }}
    dest: /etc/letsencrypt/{{ item }}
    owner: root
    group: root
    mode: 0755
  with_item:
    - lexicon-ovh.sh
    - lexicon-gandi.sh
  when:
    - certbot_authtype == "dns"

- name: Installation de la configuration pour le chalenge DNS via OVH
  ansible.builtin.template:
    src: etc/letsencrypt/ovh-api-keys.j2
    dest: /etc/letsencrypt/ovh-api-keys
    owner: root
    group: root
    mode: 0755
  when:
    - certbot_authtype == "dns"
    - certbot_authdns_provider == "ovh"

- name: Installation de la configuration pour le chalenge DNS via Gandi
  ansible.builtin.template:
    src: etc/letsencrypt/gandi-api-keys.j2
    dest: /etc/letsencrypt/gandi-api-keys
    owner: root
    group: root
    mode: 0755
  when:
    - certbot_authtype == "dns"
    - certbot_authdns_provider == "gandi"

- name: Check if certificat already exist
  ansible.builtin.stat:
    path: /etc/letsencrypt/live/{{ certbot_certname }}/fullchain.pem
  register: cert

- name: Install certbot and generate cert
  ansible.builtin.command: >
    certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok
    --renew-by-default --text  --webroot --webroot-path /var/www/
    --email {{ certbot_adminemail }} -d {{ certbot_certname }}
  when:
    - not cert.stat.exists
    - certbot_authtype == "http"

- name: Install certbot and generate cert
  ansible.builtin.command: >
    certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok
    --renew-by-default --text --manual --manual-auth-hook "/etc/letsencrypt/lexicon-ovh.sh create"
    --manual-cleanup-hook "/etc/letsencrypt/lexicon-ovh.sh delete" --preferred-challenges dns
    --email {{ certbot_adminemail }} -d {{ certbot_certname }}
  when:
    - not cert.stat.exists
    - certbot_authtype == "dns"

# - name: Ensure a cron job to auto-renew the cert exists
#   ansible.builtin.cron: name="daily auto renew cert"
#         special_time=daily
#         job="certbot renew --webroot --webroot-path /var/www/ --no-self-upgrade --post-hook \"systemctl reload httpd\" --quiet"
#         state=present
##   when: certbot_auto_renew
- name: Ensure a cron job to auto-renew the cert exists
  ansible.builtin.cron:
    name: "daily auto renew cert"
    special_time: daily
    job: "certbot renew --quiet"
    state: present
#  when: certbot_auto_renew